<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>Users are frequently locked out of Active Directory | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'trouble-shoot-active-directory.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/trouble-shoot-active-directory.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/trouble-shoot-active-directory.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/trouble-shoot-active-directory.html" rel="nofollow" target="_blank">../en/trouble-shoot-active-directory.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="secure-cluster.html">Secure a cluster</a></span>
»
<span class="breadcrumb-link"><a href="security-troubleshooting.html">Troubleshooting security</a></span>
»
<span class="breadcrumb-node">Users are frequently locked out of Active Directory</span>
</div>
<div class="navheader">
<span class="prev">
<a href="security-trb-extraargs.html">« Users command fails due to extra arguments</a>
</span>
<span class="next">
<a href="trb-security-maccurl.html">Certificate verification fails for curl on Mac »</a>
</span>
</div>
<div class="section">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="trouble-shoot-active-directory"></a>Users are frequently locked out of Active Directory<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/troubleshooting.asciidoc">edit</a>
</h2>
</div></div></div>
<p><span class="strong strong"><strong>Symptoms:</strong></span></p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Certain users are being frequently locked out of Active Directory.
</li>
</ul>
</div>
<p><span class="strong strong"><strong>Resolution:</strong></span></p>
<p>Check your realm configuration; realms are checked serially, one after another.
If your Active Directory realm is being checked before other realms and there
are usernames that appear in both Active Directory and another realm, a valid
login for one realm might be causing failed login attempts in another realm.</p>
<p>For example, if <code class="literal">UserA</code> exists in both Active Directory and a file realm, and
the Active Directory realm is checked first and file is checked second, an
attempt to authenticate as <code class="literal">UserA</code> in the file realm would first attempt to
authenticate against Active Directory and fail, before successfully
authenticating against the <code class="literal">file</code> realm. Because authentication is verified on
each request, the Active Directory realm would be checked - and fail - on each
request for <code class="literal">UserA</code> in the <code class="literal">file</code> realm. In this case, while the authentication
request completed successfully, the account on Active Directory would have
received several failed login attempts, and that account might become
temporarily locked out. Plan the order of your realms accordingly.</p>
<p>Also note that it is not typically necessary to define multiple Active Directory
realms to handle domain controller failures. When using Microsoft DNS, the DNS
entry for the domain should always point to an available domain controller.</p>
</div>
<div class="navfooter">
<span class="prev">
<a href="security-trb-extraargs.html">« Users command fails due to extra arguments</a>
</span>
<span class="next">
<a href="trb-security-maccurl.html">Certificate verification fails for curl on Mac »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>